Is My Research Exempt from HIPAA?

HIPAA’s Privacy Rule does not apply to clinical research in a few special circumstances. If your research fits into these categories, you need only submit the Why My Research is Exempt from HIPAA’a Privacy Rule Form and indicate how your research is exempt. There are basically two (2) exempt situations.

1. Your research is exempt if you do not collect “protected health information” (PHI) as part of your research. An explanation of “protected health information” can be found by clicking the HIPAA’s Definition of Terms button on the right. Research that falls into this exemption category includes, for example, studies of opinions, the impact of different educational techniques, and studies of health information that is not held by a HIPAA “covered entity,” such as the Framingham Heart Study.

2. Your research is exempt from HIPAA’s Privacy Rule if(a) the Principal Investigator of the study is not a member of the workforce of Boston Medical Center or of a Boston University “covered component” (these include the Dental Clinic and the Dental Pathology Laboratory at the Goldman School of Dental Medicine, BU Dental Plan, and Human Genetics Laboratory), AND(b) the research does not involve gathering protected health information about research subjects from covered entities (such as hospitals or doctors’ offices where the subject has received medical care).This research is exempt even if the investigator will be collecting identifiable health information directly from the subjects. HIPAA’s Privacy Rule only applies to PHI gathered by or from covered entities. If you, as Principal Investigator, were required to attend a HIPAA training session either at BMC or at BU, you are considered a member of their workforces, and your research is not eligible for this exemption. There are two additional issues to consider if you think your research qualifies for exemption #2 above. First, if you plan to use a commercial laboratory to perform assays on your research subjects, those commercial laboratories may expect to see some evidence that you are operating in compliance with HIPAA before releasing lab results to you. Each lab will have its own policy about what evidence they expect. If you do plan to use a commercial laboratory, we suggest that you check with them about their requirements before you assume that your research is exempt from the Privacy Rule. Second, you are not eligible for this exemption if you plan to use the General Clinical Research Center (GCRC) for your research. The GCRC is part of BMC, a HIPAA “covered entity” which is subject to the Privacy Rule.

There are two (2) broad characteristics that automatically make research NOT exempt. First, if the principal investigator is a member of the workforce of Boston Medical Center or of a BU covered component workforce. The BUMC policy is that all such research falls under the Privacy Rule (unless it does not involve protected health information see the first bullet point above). Second, if you plan to collect protected health information from any covered entity as part of your research, the Privacy Rule applies.